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Abstract. Relay attacks are a major concern for RFID systems: during an au- 
thentication process an adversary transparently relays messages between a veri- 
fier and a remote legitimate prover. 

We present an authentication protocol suited for RFID systems. Our solution is 
the first that prevents relay attacks without degrading the authentication security 
level: it minimizes the probability that the verifier accepts a fake proof of identity, 
whether or not a relay attack occurs. 
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1 Introduction 

Radio Frequency Identification (RFID) allows to identify objects or subjects without 
any physical nor optical contact, using transponders — micro-circuits with an antenna 
— queried by readers through a radio frequency channel. This technology is one of the 
most promising of this decade and is already widely used in applications such as access 
cards, transportation passes, payment cards, and passports. This success is partly due to 
the steadily decrease in both size and cost of passive transponders called tags. 

The relay attach exhibited by Desmedt, Goutier, and Bengio [5] recently became a 
major issue of concern for RFID authentication protocols. The adversary pretends to be 
the legitimate prover by relaying the messages that are exchanged during the execution 
of the protocol. This is illustrated through the following example. 

Consider an RFID-based ticket selling machine in a theater. To buy a ticket, the 
customer is not required to show his theater pass, an RFID tag. The customer needs to be 
close enough to the machine (verifier) so that the pass (prover) can communicate with it. 
The pass can be kept in the customer's pocket during the transaction. Assume there is a 
line of customers waiting for a ticket. Bob and Charlie masterminded the attack. Charlie 
is in front of the machine while Bob is far in the queue, close to Alice, the victim. 
When the machine initiates the transaction with Charlie's card, Charlie forwards the 
received signal to Bob who transmits it to Alice. The victim's tag automatically answers 
since a passive RFID tag — commonly used for such applications — responds without 
requiring the agreement of its holder. The answer is then transmitted back from Alice 



Sometimes referred to as Mafia fraud. 



to the machine through Bob and Charlie who act as relays. The whole communication 
is transparently relayed and the attack eventually succeeds: Alice pays Charlie's ticket. 

When it was first introduced in the late eighties, the relay attack appeared unrealis- 
tic. Nowadays, the relay attack is one of the most effective and feared attacks against 
RFID systems; it can be easily implemented since the reader and the tag communi- 
cate wirelessly, and it is not easily detectable by the victim because queried (passive) 
tags automatically answer to the requests without agreement of their bearers. Recently, 
Halvac and Rosa [6] noticed that the standard ISO 14443, related to proximity cards 
and widely deployed in biometric passports, can easily be abused by a relay attack due 
to the untight timeouts in the communication. 

All current authentication protocols that prevent relay attacks perform rather poorly 
against an adversary that does not relay messages. They guarantee the same security 
level regardless of the adversary's ability to relay messages. This may be considered as 
a weakness, in particular in situations where relay attacks are hard to perform. 

We introduce a new authentication protocol suited for RFID systems with the prop- 
erty that it minimizes the false-acceptance probability whether or not a relay attack 
occurs. In Section|2]we present our protocol. Section[3]is devoted to the security anal- 
ysis. Section |4] addresses the optimality of our solution. In Section [5] we compare our 
protocol with related authentication protocols. 

2 Protocol 

2.1 Protocol requirements and assumptions 

In the presence of the legitimate prover, the authentication protocol must guarantee 
that the verifier always accepts his proof of identity. The protocol must also prevent 
an adversary of being falsely identified assuming she can participate either passively or 
actively in protocol executions with either or both the prover and the verifier. This means 
that the adversary can 1) eavesdrop protocol executions between the legitimate prover 
and the verifier (passive attack); 2) be involved in protocol executions with the verifier 
and the legitimate prover separately or simultaneously (active attack). We assume that 
neither the prover nor the verifier colludes with the adversary, i.e., the only information 
the adversary can obtain is through protocol executions. Finally, we assume that the 
legitimate prover and the adversary never want to get simultaneously authenticated. 

Given an integer N > 1, we consider that the adversary is successful if she is able to 
impersonate the legitimate prover within N protocol executions involving either passive 
or active attacks. Throughout the paper, N is considered as a fixed constant and, in the 
RFID context, may be interpreted as the typical number of authentications the tag can 
support during its life. 

2.2 Protocol description 

Prior to the protocol execution, the legitimate prover and the verifier agree on a common 
secret key k in the form of a binary string of length 



4 = 2 n+2 - 2 



(1) 



for some integer n > 1. The protocol consists of three parts: initialization, authentica- 
tion, and proximity check. The initialization and the authentication parts are executed 
during a "slow phase" where no time measure takes place. The proximity check, in- 
stead, involves time measure and is often referred to as the "fast phase." 

In addition to £k, the protocol involves two positive integers £ a and if, whose values 
will be specified in Section[3] 

Initialization. The prover sends a random £ -bit string a to the verifier and, similarly, 
the prover sends a random £&-bit string b to the verifier. With a, b, and their common 
secret key k, the verifier and the prover generate a full binary tree r(a,b, k) of depth 
n + 1 as follows (see Fig.[T]for an example). The left and the right edges are labeled 
and 1, respectively, and each node (except the root) takes the value or 1 depending on 
a, b, and k. 

The "tree valued" function r(a, b, k) is a one-to-one function whenever two of the 
three variables a, b, k are kept fixed. (For this to be possible, £ a and must be at most 
equal to £k since the total number of complete binary trees of depth n + 1 is equal to 

2 2«+ 2 -2 = 2 4.) 




Fig. 1. Decision tree with n = 2 and £k = 14. The thick line path in the tree corresponds 
to the verifier's challenges 0, 1 and the prover's replies 1, 0. 



Authentication. The prover transmits the m bits corresponding to the m leftmost 
leaves, starting from the left. The value of m will be specified in Section[3] For now, m 
is some value smaller than 2™ +1 , the total number of leaves. 

Proximity check. An n-round fast bit exchange between the verifier and the prover pro- 
ceeds using the tree. The edge and the node values represent the "verifier's challenges" 
and the "prover's replies," respectively. At each step i € {1, 2, . . . , n} the verifier gen- 
erates a challenge in the form of a random bit $ and sends it to the prover. The prover 
replies by sending the value of the node in the tree whose edge path from the root is 
<f = qi, §2, • • • , Qi' This reply is denoted by ri(q l ). 

In the example illustrated by Fig.Q] the verifier always replies in the second round 
unless the first and the second challenges are equal to one in which case the verifier 
replies 1, i.e., r 2 (q 2 ) — for q 2 ^ 11 and r 2 (<7 2 ) = 1 for q 2 = 11. Finally, for all 



i G {1,2,..., n}, the verifier measures the time interval between the instant qi is sent 
until ri(q l ) is received. 

The round-trip time for each challenge-response round guarantees that the prover 
is close from the verifier. Hence, a typical threshold is a value close to 2d/c where d 
denotes the distance from the verifier to the expected position of the prover and where 
c denotes the speed of light. 
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Fig. 2. Two-phase distance bounding protocol. 



Final decision. The verifier accepts the prover' s identity only if the m authentication 
bits are correct and if the n replies of the fast phase are correct while meeting the 
challenge-response time constraint. The protocol is given in Fig. [2] 

3 Security analysis 

We are interested in the probability of the event "over N protocol executions, the ver- 
ifier accepts the proof of identity of the attacker at least once." To compute this quan- 
tity, we make the following assumption which we discuss below: one protocol execu- 
tion provides no information to the attacker about the secret key k. As a corollary, the 
knowledge of a and b only reveals nothing about the assignment of each node which, 
independently, may take the values or 1 with probability 1/2. 



At first, the above assumption may rise some doubts since the m authentication bits 
and the n bits sent during the fast phase by the prover depend on the secret key. In 
practice, however, this assumption may be justified by arguing that if m + n is much 
smaller that the size of the key, Ik = 2 n+2 — 2, one protocol execution reveals almost 
no information about the secret key. To be consistent with our assumption, from now 
on we assume that m — m(n) — o(£f.), i.e., that m grows sub-exponentially with n. 

To compute the probability of false-authentication, we distinguish two cases de- 
pending on whether during the TV protocol executions the adversary acts alone — i.e., 
without interacting either passively or actively with the legitimate prover — or not. 

3.1 Attack without involving the legitimate prover 

We upper and lower bound the probability of false-acceptance (f-a) as 

Pr(f-a|J5) Pr(E) < Pr(f-a) < Pr(f-a|£') + Pr(.E c ) (2) 

where E denotes the event "over N protocol executions all trees are different" and 
where E c denotes the complement of E, Conditioned on E, the adversary maintains 
a uniform prior on the secret key fc on each protocol execution. Therefore, for each 
protocol execution the adversary achieves a probability of success (at best) equal to 
2~( m+n \ corresponding to random guesses. It follows that 

Pr(f-a|£0 = N ■ 2- {m+n ^ + o(2-( m+rl >) (n -»■ oo) . (3) 

The computation of Pr(E c ) refers to the birthday paradox. By letting l a = m + n, a 
standard calculation reveals thaj| 

Pi{E c ) < N ( N ~ V + (2- 2 (™+™)) (n -»■ oo) . (4) 

From (fill,©, and we get 

Pr(f-a) = 6>(2- (m+,l) ) (n -> oo) . (5) 

3.2 Attack involving the legitimate prover 

We distinguish two sub-cases, depending on whether the adversary can or cannot relay 
messages. 

With relay. In this case, the adversary can execute man-in-the-middle attacks to pass 
the authentication step for each of the N protocol executions; the adversary initiates 
the protocol with the verifier and relays the nonces a, b, and the authentication string 
si, S2, ■ ■ ■ , s m . However, to succeed the adversary must pass the proximity check. We 
compute the probability of false-acceptance (f-a) assuming the adversary passed the 
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authentication step. Similarly as in ©, we upper and lower bound the probability of 
false-acceptance as 



Pr(f-a|£ 6 ) Pr{E b ) < Pr(f-a) < Pr(f-a|£ 6 ) + Pi(E c b ) (6) 

where E b denotes the event "over N protocol executions all b nonces are different." 

We first compute Pr(f-a\E b ). Because of the time constraint, the adversary cannot 
relay information between the verifier and the prover during the fast phase. This means 
that the adversary's reply at time i must be independent of the verifier's challenge at 
time i, for any ie {1,2,..., n}. However, because there is no time measure before the 
fast phase, the adversary can query the legitimate prover with a sequence of challenges 
q n , hoping these will correspond to the challenges q n provided by the verifier during the 
fast phase. Because q n and q n are independently chosen, the probability of passing the 
proximity check is the same for any q n . Hence, without loss of generality, we assume 
that the adversary has access to the ri(<f)'s for q n = (0, 0, . . . , 0) = 0". The adversary 
is then successful only if ri(0 l ) — ri(q % ) for all i G {1,2, ... ,n}. For conciseness, 
from now on we write ri for ri(q l ) and fi for r^q 1 ). 

Letting t be the first time i > 1 when = 1, we have that f j = r t for i e 
{1, 2, . . . , t — 1}, and = with probability 1/2 for i £ {t, t + 1, . . . , n}. Therefore, 
letting r n = r\, r 2 , . . . , r„, the probability of a successful attack over one particular 
protocol execution can be computed as 

Pr(f" = r n ) = Pr(f" =r n \t = i) Pr(t = i) 

i=l 

+ Pr(f" = r n \q n = 0") Pr(q" = 0") 

n 

= y> 2 _(„-i+i) 2 -i + 2 _„ 

i=l 

= 2~ n (n/2 + l) 

and we get 

Pi{f-a\E b ) = 2-"+°( 1 ) (n -» oo) . (7) 
Similarly as in we have 

Pr(^ c )< jV( 2 ^~ 1) +0(2- 2 ^) (4-oo). (8) 

By taking £ b > n, from (O, (O, and (O the highest probability of false-acceptance that 
can be attained by an adversary who can relay messages satisfies 

Pr(f-a) = 2-"( 1 +°( 1 » ( n - oo) . (9) 



Without relay As one might observe, the security analysis in the above case "with 
relay" never uses the nonce a. Suppose the adversary cannot relay signals. Without 
the nonce a, the adversary can easily pass the authentication step by first obtaining the 



nonce b and the corresponding authentication string from the legitimate prover, then by 
presenting those to the verifier. The security is then based only on the proximity check. 
Instead, with a nonce a, this attack is less likely to succeed. Indeed, one can readily see 
that with £ a = m + n as in Section [XT] the probability of false-acceptance is as small 
as in the case of attacks without legitimate prover and is given by (0. 

4 Optimality of the proposed protocol 

We discuss the optimality of the proposed protocol by restricting our attention to bit 
exchange protocols that satisfy the following general properties: 

• The verifier and the legitimate prover share a common secret in the form of a bit 
string of length 1^. 

• The verifier always accepts the proof of identity of a legitimate prover. 

• Neither the verifier nor the legitimate prover collude with the adversary. 

Consider an authentication protocol that satisfies the above conditions. Among the 
bits sent by the prover during the execution of the protocol, some depend on the com- 
mon secret, and some do not. If m + n denotes the number of secret dependent bits, the 
false-acceptance probability (per adversary trial) of the protocol is at best 

o— (m+n) 

regardless of the type of attack. 

To overcome relay attacks, it is necessary that the verifier has a means to determine 
whether the prover is close to him — in our case the time measure. If n denotes the 
number of key dependent bits sent by the prover upon which the verifier evaluates his 
proximity, the probability of false-acceptance (per adversary trial) in the presence of 
relay attacks is at best 

2 -n _ 

In light of ((5]) and (0, our protocol is asymptotically optimal in the sense that the 
exponential rate at which the false-acceptance probability goes to zero as m and n tend 
to infinity is the best one can achieve among all protocols with the same parameters. 

5 Discussion 

Brands and Chaum [2] were the first to propose an authentication protocol using the 
idea of a proximity check (or distance bounding) between the prover and the verifier^ 
This protocol, similarly to ours, uses a proximity check in the form of rapid exchanges 
of challenges and responses between the verifier and the prover. After this phase, the 
prover authenticates himself by sending an m bit signature of all sent and received bits 
— the value of m is not specified. 

There are two possible attacks. The adversary can first query the legitimate prover 
with a particular sequence of challenges. Whenever the verifier picks the same sequence 
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of challenges, the adversary succeeds. The other attack consists in guessing the final sig- 
nature. The probability of false-acceptance over N protocol executions is thus approx- 
imatively N ■ 2~ * nin { m > n } t n being the number of responses provided during the fast 
phase. Since the only key dependent bits are the m ones of the signature, this protocol 
is optimal if m < n and suboptimal otherwise. 

Note that, although Brands and Chaum's protocol may be optimal, depending on 
the choice of the parameters m and n, once the number of fast phase rounds is fixed, 
our protocol achieves a much lower probability of false-authentication in the non-relay 
case — and the same in the relay case. 

All the subsequently published protocols [3,4,7-12] that prevent relay attacks, while 
having other features in terms of their complexity (computations, memory, amount of 
information exchanged) and their functionalities (mutual authentication, resistance to 
noise, resistance to colluding attacks), attain a probability of false-acceptance at best 
equal to the one of Brands and Chaum in both the cases with and without relay. Part of 
the reason is because authentication and proximity check are performed on the basis of 
the same bits. In our case instead, the bits sent during the authentication and during the 
proximity check differ. This main feature allows us to dramatically reduce the proba- 
bility of false-acceptance in situations where relays are not implementable, yet active 
attacks are possible. 

We now compare our protocol with Hancke and Kuhn's [7] since the structures of 
the fast phases are related. In Hancke and Kuhn's protocol, two registers x%, X2 , ■ ■ ■ , x n 
and j/i , j/2 , ■ ■ ■ , Vn are generated according to the secret key k and the random nonces a 
and b. For each round i of the fast phase, the legitimate prover replies xi or y,; depending 
on whether the verifier's challenge is equal to zero or one. The difference with our 
protocol is that the response at time i depends only on the current challenge and not 
on the past challenges (qi, q%,..., <7i_i), i.e., ri(q l ) — r^(gi)0 Because the adversary 
can query the prover during the slow phase, she can obtain the equivalent of an entire 
register. As a consequence, the probability of false-acceptance over N protocol execu- 
tions is approximatively N ■ (4) w , which is significantly higher than for our protocol — 
both with and without relay. 

We end this section with a practical consideration on our protocol. Interestingly per- 
haps, even if it gets interrupted during the fast phase, the verifier may still provide some 
reliable decision on whether to accept or to reject the prover's identity. (Of course, the 
probability of false-acceptance will depend on how many replies the verifier obtained.) 
This may be useful in situations where fast authentications are required — e.g., for toll 
gates on highways — since it allows the verifier to take a decision even if the protocol 
did not end properly. 

6 Concluding remarks 

The main contribution of this paper consists in a an authentication protocol that is 
asymptotically optimal in terms of probability of false-acceptance both in the relay 
and non-relay cases, in contrast with previous protocols. 

4 The two registers can be seen as forming a decision tree where, at any level, each node value 
depends only on whether it is issued by a left or a right branch. 



The performance of the protocol, however, comes at the expense of additional stor- 
age capabilities in order to compute the entire decision tree before executing the fast 
phase. This makes the protocol mostly suitable in applications where the number of fast 
phase rounds can be made small — for instance, in situations where relay attacks are 
expected to occur rarely. Numerically, taking n = 11 for instance, requires a 1KByte 
memory. Most RFID tags devoted to secure applications offer this value — the common 
NXP Mifare Classic Standard tag provides a 1KByte memory and ICAO-compliant 
electronic passports embed an at least 30KByte memory tag. 

Finally, we note that several other optimality criteria may be considered in addition 
to the one proposed in Section |4] An interesting direction to pursue might be, given the 
size of the secret key, to seek the tradeoff between the probabilities of false-acceptance 
with and without relay. 
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